Saturday, September 14, 2013

Web Server Hacking through Command Injection

Web Server Hacking through Command Injection
POSTED ON 8/06/2013 09:20:00 AM BY VIV EK

Hello, Folks! do you know ? Command Injection is the most dangerous Web Vulnerability, its little harder to find. Command Injection is also called Command Execution, Code Injection, or Remote code execution. well it's my first post on command injection so - I'll start from basic and simple tutorial may be i'll post some advance techniques in future, depend upon my learning #Command execution is my favorite vulnerability :)

What is Command Injection :
Command Injection is one of the most dangerous web vulnerability which occurs due to unauthorized commands send by an attacker to Web Server and server accept it without proper client input validation which is connected to system server application and doesn't have any type of Filter or any whitelist of blocking unwanted commands, that allows an attacker to inject any command on Website Server Operating System.

One simple example of Command Injection : Assume that your current Computer is Web Server and as you all know every web hosters needs an Operating system that is called server - like : Linux, Windows, Unix etc. Every website has it's own Server and Operating system which is connected to World Wide Web. Cool, now every OS have Terminal like Command Prompt in windows. Now assume that you create a web application that allows any user to ping IP then definitely you've to connect your terminal or command prompt with Web Application (Reason only OS Terminal connected to WWW can ping any requested IP) without any user input filteration and validation your application blindly trusts on users client request and execute it on Web Server OS Terminal. So what if an attacker determine your application is vulnerable to command injection and send unauthorized commands to Server Terminal.. you know he can gain complete access to your Web Server. It's like you handed your OS terminal in an attackers hand, so of-course if you have control on OS Terminal then you can do anything on Web Server like, Shell Upload, Web Site Deface, Database takeover, creating multiple vulnerabilities, etc.

Understanding Complete Command Injection :
Fine, guys if you still didn't understand what exactly is command injection and how it works then here i got simple tutorial for you. Just follow the below's steps and learn Command execution in a day.

Requirements :

DVWA Pen-testing lab or OWASP BWA - (DVWA)
Basic knowledge of Windows CMD and Linux Terminal
Little Networking Knowledge
Burp Suite (Not Recommended)
Simple Command Execution tutorial for Beginners :
I'm gonna show you simple command execution tutorial through OWASP BWA (DVWA) Pentest lab that runs on Virtual Machine, we'll execute our command on server and will able to Take down complete Website.

As you know DVWA is already vulnerable to Command execution (for Pentesting) so we don't need to find it, directly determine the OS and execute commands.

Now, in below image you can see that Burp Suite found server information :

Click on Image to enlarge it

Or, you can also Nmap for more information :

Click on Image to enlarge it

If you have little knowledge of Networking you can easily understand what it is and how stuffs work, If you want to learn Networking click here.

To become an expert in Command execution you've to learn Linux, Python, Perl, C and DOS Programming languages not completely but you must know about 40% to 50%. So guys back to Injection attack.

Open DVWA - (Command Injection) Vulnerability, as i told you DVWA Web App allows anyone to Ping an IP that is connected with Command Prompt, (Check source code) to know how web app works.

Click on Image to enlarge it

Try to understand how exactly works and what we've to do to Hack Web Server. As you know complete server can be compromised via Command Prompt and Terminal. Normally we use this command to ping an IP using Command Prompt in Windows : "ping WEBSITE YOU WANT TO PING"

Click on Image to enlarge it

The same DVWA Web application do, that means we're totally on Command Prompt and as you saw source code it doesn't have any type filter to filter users input and save server from Command Injection attacks.

Now give a try to DVWA with one IP request to see how it works.

I Pinged IP to see how it works and it simply.. now we can use some evil mind to compromise web server with command injection. Check Vulnerability with "& ls" command. In generally method we use "ls" to get list of files and folders around the directory.

Click on Image to enlarge it

Now any Noob can understand that we got complete access to web server command prompt, so easily an attacker can totally compromise server. lets try with this command "& cd ../../../../../../../../WINDOWS/system32 & dir" You'll get a big Huge page with complete directory names, files and folders you can also search for cmd.exe

Click on Image to enlarge it

Now how to hack complete web server and get database, and all files even we can gain root access. So just we need to upload our backdoor, Click here to learn how to upload C99 Shell PHP backdoor and Hack website using Command Execution.

Thank you for reading our post, Stay tuned with us and please share it to increase us, and always feel free to comment and let me know your problem.

No comments:

Post a Comment